API Penetration Testing
What is an Application Programming Interface (API)?
A web service is software composed of XML messaging system. The anatomy of these web services comprises three components:
- SOAP (Simple Object Access Protocol)
- UDDI (Universal Description, Discovery, and Integration)
- WSDL (Web Services Description Language)
Web services depend on XML to tag data, SOAP to transfer a message and WSDL to describe components of web services. APIs or web services provide developers with subroutines, communication protocols, and tools for building software. Cloud Application Programming Interfaces (Cloud APIs) is a type of API that enables the development of applications and services used for the provisioning of cloud hardware, software, and platforms. APIs provide a single point of entry into applications irrespective of the technologies and architecture used, which provides an essential requirement in the age of separate cloud service providers. The utility of APIs has resulted in the rise of their usage for cloud environments.
Threats with APIs?
In many cloud systems APIs are the only asset outside the trusted company network with a public IP address which makes them more than likely to be the first point or port of call for attackers. This makes it very important that the APIs have been designed with security in mind and take into consideration adequate authentication and access control methods together with encryption technologies to make sure that information isn’t leaked.
Companies which follow the ”security by design” approach and understand the need for security when using APIs will also take steps to ensure sufficient authentication, authorization, and encryption is built in as well as making sure the code itself doesn’t contain any obvious vulnerabilities. However, often this isn't the case. Those organizations which haven't embraced secure coding methodologies and release code to production that is not adequately hardened are vulnerable.
APIs contain many bugs of several kinds such as:
- SAML/OAuth/OpenID authentication
- Fuzzing attacks
- XML Bomb (DoS)
- Malicious Attachment/File Upload
- Encryption based vulnerabilities
How to make APIs secure?
Testing an API for security issues at different levels is important. There are a few well-known industry practices that you can follow.
- To avoid fuzzing based attacks, proper input sanitization and input validation can help create a secure application.
- For encryption based attacks, following the predefined standards and proper implementation of technologies is required.
- In the case of authentication based attacks, there are several areas to ensure security such as:
- Making API keys random and avoiding serialization.
- CSRF protection for the authorization process.
- Define and validate scope parameters for each application.
For ensuring the security of such applications repeated penetration testing is required for which various guidelines exist from organizations like OWASP and tools such as SoapUI Pro, OWASP ZAP, WSBang, HP Webinspect, WSMap and IBM AppScan